Outlook Web Access Users Hit With Trojan

A new spam campaign is targeting Outlook Web Access users with the goal of distributing a nasty Trojan.  The messages are slick and professional-looking and tell the recipient that they need to update their mail settings by clicking on the included link. The link leads to a very well made, but fake, Outlook Web Access site.  Those that keep going and thinking that they are downloading the new settings, download the Zeus Trojan instead.

Zeus lurks on the victim’s hard drive, doing nothing, until the infected computer visits a page related to financial matters, such as a brokerage firm, online banking, Paypal, or a credit card account page. A keylogger is activated when such a page is detected and the login details are stolen.  The Trojan can also hijack a browser and redirect the user to a fake version of a bank’s webpage. These so-called  “Man in the Browser” attacks are hard to detect.

“This attack illustrates how organized internet crime syndicates are expanding their focus from consumers to enterprises, by targeting employees with credentials to access high value banking, financial, and other web-based applications,” said Mickey Boodaei, CEO of Trusteer. “The level of personalization used in these Phishing messages and the fact that they appear to be coming from the company’s IT department makes this attack very convincing and by extension very dangerous. We are urging enterprises to warn their employees and lock down browser settings to prevent unauthorized code execution inside the browser.”

Experts say that the hackers behind Zeus are targeting corporate users because business accounts tend to have much higher balances than consumer ones.  The malicious sites linked to in the spam message are located all over the world in places like Romania, Russia, Columbia, and Hungary, and so far Zeus is not being detected by many anti-virus programs.